Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Auto-Protect is disabled because registration of the virus databases failed

Created: 04 Mar 2009 • Updated: 21 May 2010 | 18 comments

Forgive me if this is covered in another thread.  I can't search the forums for any relevant keywords, and I really don't have time to browse it all.

Here's the problem.  I have an event id 42 in my app log saying  Auto-Protect is disabled because registration of the virus databases failed- it gives me a link to resolve it:    http://www.symantec.com/techsupp/servlet/ProductMessages?product=SAVCORP&version=11.0.2010.7&language=english&module=1000&error=0074&build=symantec_ent

I have tried the steps listed but the error comes up every night when new defs get pushed out.  This is the only client among some 50+ exhibiting the problem. 

I downloaded and ran the support tool, and I was advised that:

Error Name:  NAVENG
Type:  Kernel Driver
Error Exit Code A device attached to the system is not functioning.

Error Name:  NAVEX15
Type:  Kernel Driver
Error Exit Code A device attached to the system is not functioning.

Any of this ring a bell out there?

This is version 11.0.2010.25 running on Windows Server 2003

Thanks!

Comments 18 CommentsJump to latest comment

Paul Murgatroyd's picture

Hi Swade,

I'm aware of this issue on a couple of machines at another customer too.. support is working on it... can I ask you to please log a call with support and get them to do two things:

1. Cross reference your case number with 240-879-908

2. Get it referenced on defect 1508235

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

TonySimmons's picture

I'm running 10.1.7.7000, the definitions load on the client, the database fails to initialize and auto protect gets turned off.

Gaoquan's picture

we have the smae issue.you can upgrade to vesion 10.1.8.8000,beacuse Symantec reduce paged pool hoding in this vesion .

Julie Barnes's picture

I have the same issue with one machine...version 10.1.7.7001. The system console showed the machine as enabled, but the desktop's auto-protect was disabled. I worry that I may have more clients with the same issue.

Bruce.A.Singer@oa.mo.gov's picture

We have a 10.1.6.6000 setup.  The worst part about this bug is their is nothing in the MMC to indicate that the Auto-Protect has been disabled.  How many of our workstations have Auto-Protect disabled.  How can we find them and get it re-enabled.

rickyrome's picture

We are getting this same error on a few of our servers. honestly it can be more systems, i havent really noticed since in the managment console everything shows up good until you get the error in the event log. the fix points to a symantec corporate edition version i have not tried it but seems like it hasnt been succesfull any other suggestions?

Ricardo Romero

MCTS

Julie Barnes's picture

My case with Symantec was closed since I reinstalled on the client's machine. I still consider the problem to be quite worrisome as there could be more clients out there with their auto-protect disabled. Has anyone gotten anything helpful from Symantec regarding this issue? We're running Corporate Edition 10.1.7.

glenn.kime@i3global.com's picture

First 3 are concerns about recovery, and the 4th on prevention

1) Why is this only a warning in the Event Log?
2) Why isn't this reported to the SSC so we can track and take action?
3) Since the usual fix is to restart the service, why isn't this done automatically, at least once or twice?
4) Why is this happening, and when will a fix be delivered?

jsioui's picture

We are experiencing the same problem and it seems to be growing.  Everything described in this thread is exactly what is happening in our environment.  The solution that Symantec provided was to download and install RxDefs utility on the servers.  I noted that we have two primary and two secondary servers and all workstation problems are registered to one secondary server where we ran the utility.  It found one bad file - NAVENG.NLM and states that it was corrupted.  We are waiting to get approval to reboot the server and see if this fixed the problem.  I will keep everyone posted.
 

Roadblockx's picture

I am running into this issue and have 200+ users that I am responsible for along with 7 servers.  May not seem like much but I would really like to know how to solve this auto-protect issue so I don't have to rely on the end user noticing this problem and then reporting it.  Also, how can I get the SSC to alert me when auto-protect craps out? 

Maggie Horosky's picture

Case 240-973-129
I have one workstation, Lenovo laptop, same issue.
Where is the fix for this please?

Peterpan's picture

I think its better to move in to the SEP migration. I believe that this issue might be resolved

:-)

Rafeeq's picture

Hi,

As a possible work around, try deleting everything in the virusdefs folder ( take a back up please)
run the liveudpate and click on fix in SEP once the defs are updated.

Hope this helps.

Vikram Kumar-SAV to SEP's picture

I think the discussion is about SAV 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Rafeeq's picture

For Symantec Antivius 10 can you guys follow these steps after taking the backup of the registry.

Change the value of ImagePath at the following registry locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVRT

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVRTPEL

To:

\??\C:\Program Files\Symantec AntiVirus\savrt.sys

\??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys

Verify the driver files exist at those locations

Note: The values must NOT be included within quotes "".

Hope this helps , good day

glenn.kime@i3global.com's picture

Symantec,

As separately documented in case 320-211-355, the first & foremost issue is this:

We need a mechanism for this situation to be detectable via the Symantec Console.

Only in this way do we know which machines are UNPROTECTED (Autoprotect disabled).

Once we have a list of such machines, advise on how to resolve is the next order of business.  So far, a simple restart of the Symantec Service has re-enabled Autoprotect.  If this is insufficient, then a discussion on the root cause & resolution is desired.

Finally, now that all of our machines are protected once again, and we are notified of any future such issues, we would like this incident to actually be prevent from recurring.

Glenn

Jukka Ruotsila's picture

Hi,

Did you add the logging of event 42 in registry by hand yet? I had to do that and now I can see the affected machines in reporting server.

[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Common\ForwardEvents\0]
"42"=dword:00000001

And the same key for every client group.

[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Groups\[Group name here]\ClientConfig\Common\ForwardEvents\0]
"42"=dword:00000001

Then restart Symantec Antivirus service of server. This needs to be done to all servers.

- Jukka